The latest PCI update offers improvements to ensure security in online transactions, says Tim Lansdale, head of payment security, WorldPay. Tony Morbin reports.
WorldPay head of payment security Tim Lansdale
After January 1, 2015, companies involved in accepting online payment by credit card will need all PCI audits to be completed against the new compliance criteria issued by the Payment Card Industry Security Standards Council (PCI SSC): PCI DSS 3.0 – the latest, triannual update that enforces best security practice in credit card payments.
The five big credit card companies – Visa, MasterCard, American Express, JCB and Discover – joined forces in 2006 to create a unified security system so that a common set of compliance rules was applied across all the schemes. In practice the rules put a lot of the onus on the merchants and service providers to ensure their systems are secure, that any outsourced third parties such as data processors also comply with the system, as well as any new technologies introduced. For large ‘Tier one' enterprises, close involvement in the development of the standards has resulted in general satisfaction with the changes. Similarly, the banks that act as ‘merchant acquirers' – ensuring the money from a cardholder's account ends up in the account of the merchant selling the goods or service – are supportive of the tighter regulations. However, challenges remain: Some smaller merchants may face more of a challenge and mobile payments are not specifically covered by the new regulations.
SC Magazine UK spoke to several of the interested parties to get their perspective on the changes, and the actual or likely consequences of implementation, including the PCI SSC itself; a leading merchant acquirer, WorldPay; a major merchant, BT (formerly British Telecom); as well as an informed player in the vendor community, Trustwave.
First, SC asked Tim Lansdale, head of payment security at WorldPay, an acquirer seeking to ensure that its merchants comply with the PCI regulations, what he believes are the most important changes in 3.0 and how they will affect merchants.
“In terms of security, it's probably the unique authentication credentials required for each customer, as this accounts for nearly 10 percent of data breaches,” Lansdale says. “We saw a 500 percent increase in third-party breaches between 2010 and 2012, so making that more secure is very important.”
The most important change in terms of cost or disruption? “The requirement to improve capture of card data could be expensive for a large retail network,” he says. “For others, it could be implementation of the pass phrase – longer password – which for some could require a system upgrade.”
Implementing 3.0 will be easier for some merchants than others, with most of the difficulties at the point of interacting with the end consumer, he says. “Each merchant and payment environment needs to be considered separately. For example, the new requirement to evaluate malware threats will particularly affect those using Linux systems, as it's not a community generally affected by malware from a merchant's perspective. Therefore, they have not previously looked at this issue, but will need to do so now.”
Jeremy King, European director for the PCI SSC, explained background to the update and its timing. “PCI operates as a community, reaching out to everyone – the merchants, the vendors, the providers – and asks, ‘What's good, what's bad?' What came back was that every two years was not long enough to get fully through the update before it was changed, so in 2010 we went to three years for the update. But we don't take the old one out until a year after the new one has been around, so you have a full four years. But if you are ready, you can implement immediately.”
The council responded to both changes and challenges identified by its community of users, and those of forensic investigators who look into the breaches, and then drew up its updates aiming for steady progression without major changes. The chief problem identified was passwords, with default passwords especially causing a lot of problems, allowing criminals to get into people's systems too easily. The UK government and analyst firm PwC had identified a direct correlation between training staff and seeing a reduced likelihood of being breached and this too was considered.
“We have modified our standards to look at a few key areas,” King says. First, training. This involves training everyone who is involved in the process, from sales assistants through to top-level management. All have to understand what data security is all about. “Get this into people's mindsets and make it ‘business as usual', so that with everything you do, you think about security.”
Secondly, more flexibility is required, with passwords being a classic example. “We used to say you had to have seven alphanumeric characters, and for the past two years Trustwave reported that the most popular password in the world is ‘Password1' – which meets the requirements, but is not the best password,” King says. “Nowadays, there is more of a shift towards pass phrases – putting words together with some alphanumerics – something memorable so you don't have to write it down.” This is significantly stronger and begins to allow people to improve their security, he says. “Then train staff to update it and get it to ‘business as usual'.”
This move is welcomed by WorldPay's Landsdale, though he notes it is not without its difficulties. “Reconfiguring their password approach and complexity is the biggest issue for many merchants,” he says. While he says it's a positive move that consumers can now use password phrases, for many merchants this will require reconfiguration of their systems, and this might prove complex for some. Overall, though, he says that as the memorable phrase can now be quite long, it's an easier way of getting stronger passwords, so it's a sensible move.
Further, there is now a greater emphasis on the capture of data and the use of and response to that data when anomalies occur, with clear identification of responsibilities when using outsourced suppliers. King notes that investigators have found that almost 70 percent of breaches are directly related to poorly installed software. Most merchants don't develop software themselves, they buy it in. If it is poorly installed – e.g., if the default password hasn't been changed or the installers have switched off the firewalls to install their software and forgotten to switch it back on – then the merchant doesn't know that it is open to attack.
“In all the changes, people will remain the most important element,” says Lansdale. “There are old systems and technologies that work with the minimum of problems because they are well run, whereas there are new systems and technologies which have been poorly implemented and run, and these have problems. Technology is only a tool and it has to be used appropriately.”
One of the initiatives that the PCI SSC launched last year and is still driving forward is its programme aimed at QIR– qualified integrators and resellers – which is training for installers, integrators and resellers of software to make certain they have a secure process in place. The point is to allow them to go to merchants and do a much more secure job of installing software.
“We also find that criminals break into the systems too easily,” says King. “They can be in the system a long time – 180 to 200 days – before they are found, and you don't find them, someone else does, and you'll be told that you are the cause of the problem. So we are also trying to improve the standard around logging. The problem is that the systems will be logging things every minute of every hour, so it's important to understand how to get the anomalies highlighted from the day-to-day activities.”
Response is the key word in log maintenance, Lansdale agrees. “If you see anything untoward, you need to respond and deal with it. Previously, there was a need to create log files, but they weren't always monitored. Now if you detect changes, you must have a system in place to respond to it. It's a move away from box-ticking to best practice as ‘business as usual'”.
This monitoring extends to information managed by service providers that is, in turn, being monitored by merchants. It's primarily keeping on top of the paperwork and making sure that merchants focus on what they are responsible for. They will need to realise that even if they outsource, they still have residual responsibilities. This requirement draws attention to what they are, as outsourced payments still need to be compliant and the merchant will need to not only ensure that its provider remains compliant, but keep a check on them.
The requirement for service providers to explicitly identify, agree to their responsibility and inform their suppliers means that they won't want to send out such notifications, says Lansdale. “We expect this requirement to be the one that they object to most. If there is a data breach, they will be required to remediate this, and they may not want to say so beforehand – even if it was already understood to be the case.”
However, the call for more detailed data flow diagrams is unequivocally welcomed as previously many people would use network diagrams which could be complicated and confusing. “It's easier to perform scoping if you look at the data flow,” says Lansdale. “The data flow is also harder to get wrong, whereas the network can be open to interpretation. As an acquirer, this is a big tick box. You can quickly identify which network components you need to be investigating. It's a more intuitive thing than a network.”
For example, he says that in a large level one ecommerce site, a data-flow diagram might show multiple access by all three channels – online, mail order and telephone order – and where these were shared on the network. This is inherently vulnerable, he asserts, as a compromise in one area would then require the closure of all three, and the most complicated channel will decide how long the system is down. Whereas if all three channels are separate, then if one is out of compliance, it does not affect the other two while it is being brought back up to compliance.
The world's oldest telecommunications company, London-based BT, has a different perspective. While it is a merchant that needs to ensure that its range of services are PCI compliant (with 15 different platforms, mostly operating at a tier one level), it is also a QSA, checking the compliance of others, in addition to being a provider of security services. Sarah Nicholson, security, policy and compliance at BT, told SC: “As we are a QSA ourselves, we are able to get good hard advice and guidance internally to ensure that we remain compliant, and link that advice into how we design our service.” As a merchant, the company needs to be assessed by an external QSA who will report on our compliance, and we will be meeting in early December to discuss BT's transition to the new PCI DSS standard, she adds.
“The new standard has been cascaded across BT, and we will learn from each of our platforms how they think the changes will impact on our activities,” Nicholson says. Some of the issues she expects to be platform-specific, and others to relate to BT central operations, and she and her team will work through with the QSA what they mean for BT. “Our range of platforms means looking in-depth and conducting monthly and quarterly meetings as new services, infrastructures or functionality is added, and conducting GAP analyses each time there is a change to ensure that they are brought on stream in a compliant way.” One such example of increasing functionality over the past year she points to is the company's donation infrastructure for its BBC Children in Need charity.
Candice Pressinger, head of group PCI-DSS compliance at BT, adds: “It is built into our contracts [with suppliers] and we will factor in compliance. There is segmentation of platforms so each is independently compliant with quality assurance by each of the CFOs responsible for their own system.”
For Lansdale, this transition period was seen as an area where further improvement would be welcomed. “I would like to see more low maintenance compliance,” he says. “You get an audit and you are compliant, valid for a year. But you may be subject to merger, acquisition, introduction of multi-channel payments, and it's difficult to roll out the changes while staying compliant. PCI falls short of advice on compliance during expansion.” Temporarily being out of compliance in such circumstances should not be seen as being in breach and some leeway should be given during change-over periods, he says.
For BT, the transition period did not seem too arduous. “We will be cascading implementation of 3.0 throughout 2014 across each of our 15 platforms, reviewing our understanding of compliance issues during the changeover,” says Pressinger. “We have started the planning stage now, with implementation scheduled from mid-2014, once we have completed our impact assessment.”
Regarding third party responsibilities, Pressinger commented: “For any new part of a programme, we will look at the whole payment journey and see where BT is liable as a merchant,” says Pressinger. The company, she says, has robust procedures in place so is confident it already meets the requirements of the new rules in this regard. “Any time that we engage a third party this is clearly a requirement, and this assures us that the requisite assurances are requested and expected from our suppliers,” she says.
Meanwhile, BT's Nicholson explains that in 2012, when PCI compliance members were invited to suggest topics for the Council to set up specialist interest groups, among those topics selected was one suggested by BT. As a result, it is now involved in two sets of specialist interest groups, QSA and other interested parties, which have run throughout 2013 and into 2014.
“A third party ‘best practice' paper is to be issued between January and March 2014, and we will be very interested in the recommendations, some of which will already be in 3.0,” Nicholson explained. “We would then compare to see where we can make further improvements – if any.” It really is beneficial to all who are a party to this, she added.
Additionally, King of the PCI SSC emphasises the requirement for appropriate training, reiterating how it is people, along with the process and technology that enables security. As an example, he recounts how the PCI SSC has evolved some of its requirements to counter recent attacks on POC terminals where criminals pretending to be service engineers installed compromised terminals – or simply mailed a new ‘updated' terminal with instructions to install it and return the old one back to them – all looking quite official. A small merchant wouldn't necessarily know anything was wrong.
“We have had to put in additional training to ensure staff understand what their terminal looks like, take a picture, see what colour wires are going in and out,” says King. “The challenges are different between big and small merchants. We used to see the criminals going for the big merchants – and they still do – but the big merchants have got much better and mostly don't store the cardholder data and have better data security. And the criminals have seen where the weakness is. The problems are often smaller merchants going online and walking into a minefield. The challenge is to get standards and support in language that [these smaller merchants] understand – which is an ongoing action for us – for 2014 and beyond.”
For smaller merchants with self-assessment, simple language is needed as the PCI regulations are viewed as too technical for most merchants, creating a barrier to compliance. If it's too difficult, it gets put in the back of the draw, Lansdale says. “The previous change in documentation format – from v1 to v2 – was impenetrable. This v3 is much better. The introduction of a third column, which offers guidance, describes the context and the intent behind each rule, so it's not just an instruction. This is really useful when you are implementing a change.” When the guide notes were in a separate document no one read them, he adds. “Now they are easier to access, read and implement.”
King agrees that the old documents used to ‘bamboozle' people, whereas now, “Next to every requirement, we say, ‘this is what we mean.' Merchants are happy as they have someone to get them ready before the QSA visits. And, QSAs are happy as they have someone who understands all the questions that they ask, speaking the same language, so the time taken is reduced, efficiency has gone up and merchants are better prepared,” King says.
For the larger merchants, such as BT, the problems were always fewer. “There will be implications for running costs of implementing the recommendations, including equipment and training, but we well understand these, have budgeted for them, and have factored this into our plans,” says Nicholson. Satisfaction with v3 and the card schemes may be a size or cost issue, but she says her company has a good working relationship with the PCI SSC and with Visa. They are willing to debate and discuss issues, she says. “PCI is here and has had a positive effect. The new version strengthens corporate governance and is very important to ensure that brand integrity is upheld. It ensures we have the most rigorous standards and our customers know that we are very safe. So, from a brand perspective, regulation underpins that claim.”
Plus...Mobile remains a challenge
Talking to SC after the introduction of PCI DSS 3.0, Michael Aminzade, director of compliance delivery for EMEA and APAC at Trustwave, comments: “3.0 has done a lot of good things, but it does not specifically cover mobile payment solutions: apps, development practices and working within the mobile ecosystem generally. It's an environment that is not in the service provider's control – often not using their hardware and on an operating system that has not been established in the same way with the same control systems as more mature technology. There are tens of thousands of developers working on applications – people you will never see – and you may write a specific application for your own service, which will run alongside these apps that may have been insecurely developed, or with vulnerabilities, and you are requesting personal payment details through this platform, which may be jail-broken.”
It's a criticism which the PCI acknowledges. “What you won't find in v3 is requirements specific to mobile payments,” says Jeremy King, European director, PCI SSC. “That's because for us, PCI DSS is the over-arching standard, so using mobile has to conform to PCI DSS. Behind that is a whole new raft of challenges that we, and everyone, faces – whether to make payments, to accept payments or generally engage in mobile commerce.” What PCI has done is to reach out to its community, he says, linking up with the GSMA association (a group of mobile operators), as well as entering discussions with Google, Apple and others to ask how to make these things secure. That's the challenge,” he admits, “because fundamentally it isn't secure.”
Aminzade agrees, as he points out there has been a 400 percent increase in mobile malware seeking to capture personal payment information. “Cyber criminals are now focussing on this,” he says. For its part, Trustwave has identified six criminal syndicates with a sophisticated criminal strategy of knowing which platforms to attack. “In contrast, staff training on point of sale (POS) device tampering is not mandated until 1 July 2015, and use of iPads as POS devices makes it easier for criminals to perform swaps as they can just buy them rather than needing to steal/duplicate PoS devices.” Trustwave has found that companies have been transferring apps that worked on fixed POS devices and just assumed they would work equally well on mobile devices. But, the data is easier to access and authentication easier to bypass. In fact, some companies use staff numbers or four-digit codes for access with no extra authentication, making it easy to crack and access back-office information, raising a raft of potential issues.
As a result Aminzade says there are two areas that he believes need to be included in any 3.0 update: It should cover mobile platforms; risk assessment should be built out more, including an agreed-upon industry standard; implemented by a qualified person; and with reporting to a person with specific responsibility for this area.
The conclusion is that mobile device management solutions are currently not mature enough and there is a lack of people with the right skill-set as they move from Windows environments to the range of mobile operating systems, each with their own strengths and weaknesses. The administrator then has to choose between achieving the required speed to market or implementation of a full security programme.
King says that the PCI DSS, which sets up task forces where it needs specific technical advice, has had a task force on mobile running for more than a year, which is a long time for the organisation “because the challenges of trying to secure cardholder data on mobiles is difficult and malware on Androids products is a huge problem. Essentially, 3.0 says you must protect the cardholder throughout the transaction process, if you are using x, it must meet that requirement, and that's a challenge.”